The general idea of a phishing attack is to snare some number of people somewhere. This is akin to fishing with a large net: you don’t care so much about what you catch, but rather that you catch something. Phishing attacks are meant to get some non-zero percentage of people to respond, typically as a means of taking over computers or probing for goodies (bank accounts, credit cards, etc.). If you fail 99% of the time, you’re still fine, because you make up for failure through quantity.

Spearphishing, on the other hand, is much more targeted. In this scenario, you know your targets and do extensive research on them. The goal here is to attack a particular person or firm. If you fail to achieve your goal here 99% of the time, you aren’t so fine: this is much closer to a binary success-failure rather than the broad-based “make up for it in quantity” approach.

For this reason, I do not see spearphishing replacing regular phishing attacks. Instead, I see them as complementary tactics that attackers will use depending upon their goals.